More details are emerging regarding the Paris Hilton cellphone incident. I'd like to use this case to take a look at the various approaches used to perform incident response. The first two methods are technical, and the third is non-technical.
First we have the assessment approach. This involves probing target systems which may have been involved in the incident. Assessors look for security weaknesses in services and applications they believe could have yielded the information acquired by the intruders. Jack Koziol's recent blog entry is an example of this approach.
In my opinion this method is least likely to yield useful information, and is often a waste of time, as far as determining the details of the incident at hand. The assessment approach is largely speculation, albeit with access to some or all of the systems which could have been victimized. From a forensic standpoint, this is a poor way to investigate an intrusion. Assessors typically interact directly with victimized or potentially victimized systems. Their "investigation" risks damaging evidence that could be retrieved by a forensic investigator. Despite the harm caused by this method, I have read the CSO of an immense security company advocate this approach in her most recent book.
The assessment approach is useful for incident recovery. It is important to know the scope of a target's vulnerabilities before declaring a case "solved." It does no good to patch one hole if three remain open. I wrote about combining assessment with incident response in a whitepaper for Foundstone titled Expediting Incident Response with Foundstone ERS. Jack's probing of the T-Mobile site is valuable in that it shows they still have problems. The assessment method may in some cases yield the answer to a problem by constructing an experiment resembling the incident. Professor Feynman's O-ring in ice water experiment shows the power of doing "what-if" incident response. The problem I've seen in the digital realm is that the assessment-minded conduct their "investigation" on the original evidence (the victimized systems), thereby spoiling information for the next phase...
The second technical way to investigate an incident is the forensic method. This process centers on examining digital evidence collected from victimized or potentially victimized systems in a forensically sound manner. Evidence is acquired carefully, in accordance with procedures most likely to withstand an adversarial legal system. This contrasts starkly with the assessment method, where assessors typically "race to root" on the target and then declare "victory."
The weakness of the forensic method lies in the lack of evidence or an absence of useful evidence. I have performed many incident responses where I only acquired case-solving information by collecting it with my own products and processes. Frequently the victim has not enabled sufficient logging, or he has trounced the evidence by performing his own amateur investigation. While the former is usually not excusable, the second can often not be avoided. If an administrator suspects something is wrong with one of her servers, she is most likely going to check it out before calling in outside forensic help. Unfortunately, this destroys evidence that could have been collected in a fairly easy manner.
The third way to investigate an intrusion is the law enforcement method. I do not necessarily mean law enforcement is involved, although they are most likely to follow this technique. Rather, I am referring to a non-technical, human source-oriented means of investigating an incident. This method relies on cultivating informants, interviewing various parties, and conducting open research on threats that may have had the capabilities and intentions to harm a victim.
Several examples can be found on the Web. Brian McWilliams reports the following:
"An anonymous source provided O'Reilly Network with a screen grab, proving he was able to access the contents of Hilton's T-Mobile inbox as of Tuesday morning. Another image confirmed that Hilton's 'secret answer' was her dog's name."
This Rootsecure.net story mixes the assessment and law enforcement methods, but it points to the existence of tMobile_exploit_tools.zip, a program to gain access to T-Mobile Web accounts.
Incidentally, CSC posted an advisory last August saying "T-mobile Wireless and Verizon Northwest are vulnerable to caller-ID authentication spoofing, enabling arbitrary compromise of customer
voicemail/message center." Essentially, the phones can be set up to trust callers and play voicemail based on caller ID, which can be spoofed.
The law enforcement method can be the most successful means to resolve an intrusion. It is especially helpful when digital evidence is lacking. Often an investigator (most likely a real law enforcement agent) can acquire evidence pointing to the physical intruder, usually by speaking with informants. The law enforcement agents then obtain digital, hard-copy, and physical evidence by obtaining a search warrant for the suspected intruder's home or office. This is generally the only way to tie a person to a keyboard, which is the best means to successfully prosecute an intruder.